My Bank Wants a "Professional" Virus Scan of My Computer!

Just interested to know the community's view on my situation.

About two weeks ago I was the victim of a cyber attack. It all started immediately after my mobile phone number was illegally SIM swapped see previous post. Within minutes of this occurring, the attacker was able to reset the passwords to several of my bank accounts (we are all vulnerable to this type of attach unfortunately). The good news is that all banks were able to thwart the loss of any funds fortunately.

But here is the rub. I was able to get all my online banking backup and operating with minimal effort. However, one bank is making it much more difficult to reinstate my internet banking. They told me that they wanted a written statement from my telco explaining, how the attack occurred, when it occurred and that my number was safely back in my hands and safe from future attacks. They also wanted screen shot scans of Malwarebytes and Trend Micro internet Security scans. Finally, that I had changed my email password. I now use BitWarden password manager on all bank related logins with 12-16 character random alphanumeric strings including symbols! So, I complied to my banks request and sent all the information that they requested.

However, it now turns out that this is insufficient for them and they want to change the goalposts again. Now they want me to take my computer to an "professional IT person" to have it scanned. I told them that I have what I think are above average computer skills since I code in Linux and have used Windows platforms for all of my professional career. I even offered to allow them to remote in to my computer, under my supervision, so that they can run their own suite of programs. They said they could not do that and insisted on an "IT professional scan". I put it to them that if they want me to do this then they reimburse me for out of pocket expenses-they said they are considering that.

Now, I know that a lot of you out there that read this forum have pretty high computer literacy skills compared to the masses (otherwise you probably wouldn't be reading this forum, right!!).

So, can you educate me as to what skills/programs/antivirus scanners etc that an "IT professional" would/could use or have access to that I could NOT do/obtain or use myself?

Comments

  • +33

    Never heard of them going to this extent - were the amounts lost substantial or were there any other red flags?

    • Bank was able to stop all withdrawals thankfully.

      • +8

        This is just bizarre. I'm a Senior Systems Admin/Engineer and this reeks of bullshit.

        The only thing I'd do differently is run an ESET Online Antivirus Scan (you download a utility and it does a scan, its googleable). It so stupid because if you have a thumb drive/backup drive/removable media with an infected file any check done means didly squat the second you leave the shop. Besides all this is the fact that it wasn't even the method of intrusion!

        If you have any friends who work in IT just get them to run an AV scan or two over it, write a letter to the insurance saying what they have done and that they are an IT Professional, and see where it leads.

        • +1

          Concurred. I'd also ask the bank to specify what an ' IT Professional Scan' is. They clearly have no processes/criteria around it and the fact they want an AV check for a SIM attack is just stupid.

          Finally, it potentially could be illegal (I'm no lawyer…) but functionally a bank is asking for access to your personal computer, including requirements to use specific AV/malware scanners with evidence before granting you access to your funds. Seems shady to me.

        • When I was working in the consumer space as a “Professional” I’d see this often with my customers. They’d take a phone call or something, get infected or syskey’d, and wise up and call the bank.

          I wonder how the bad guy got OPs online phone acc password to begin with tho

      • +1

        If they don't reimburse, then outright deny.

        BTW which bank exactly?

    • For the banks, this is prob a legitimate concern. If this happened to one customer, it could happen to any customer.

    • Backup files
      Reinstall windows fresh from usb boot disk deleting all partitions while doing so (windows makes new ones 4 u)

      *Make sure the backup files are virus free before copying back

      DONE!…. END OF STORY.. NOTHING left TO SCAN.

      You can get on with your life

  • +7

    this is his previous post https://www.ozbargain.com.au/node/647651

  • +171

    Just change banks. Not worth the effort.

    • +1

      Yeah, I had thought of that! But not quite there yet!

      • +79

        I would've been there with their initial request.

      • +44

        I would have said "bye-bye" at "professional virus scan"

        • +9

          Never come across a non professional virus scan, except those offered by service providers who like to be paid in Crypto or else iTune vouchers…..

          • +6

            @Ade99: They are professionals though, just in a different area

      • +15

        If your car was stolen and then the bank wanted to search your house for termites before reinstating access, would you stay with them?!

        It's completely nonsensical that they want to probe your PC when the attack vector was your telco letting you mobile number be stolen.

        • +2

          nah the attackers needed access to his email/PC first to collect usernames/passwords/mobile no for his bank accounts. then swap sims for the 2 factor auth.

          • +2

            @thepigs: Well if that is known to have happened on OP's PC then the bank's request makes more sense.

            But it could be that the attackers stole some paper mail, or a shop that OP bought something at was hacked, or they logged into their account one time on a friend's computer which was pwnd, or…

            Most banks will do a password reset over the phone with a name, address, DOB, and maybe an SMS to verify if you're lucky (which wouldn't help in this case!), no need to hack in to steal the account number and password

            • +4

              @abb: yeah true, and I agree the banks request is over the top. But as the attackers had the login details to 'several' of his bank accounts its prob an email or PC hack.

              • -1

                @thepigs: More likely they did the standard SIM swap and scraped/bought OPs data from a scam list and hit up the bank with the details.

                If they had access to his PC they wouldn't have needed to SIM swap at all.

                Based on OP switching everything to 16varchar with a PW manager I'd assume all his bank passwords were the same or very similar without any special characters etc.

      • It would've been my next task immediately after their first request. There are so many alternatives that it should be them reviewing THEIR procedures AND abusing Telcos on both YOUR and their other clients behalf, because it's not you that was the problem… both of those causes were outside of you and are what's at fault. i.e. The Telco shouldn't allow such easy switching, and the bank shouldn't allow accounts to be modified so easily based upon it either. Years ago to do anything like that you had to walk into a branch and produce about 3x different types of ID. Now, for 'convenience', they've made losing our savings a minefield for us, while handing a printed map for scammers to follow they use to learn every trick that sets them off in a chain reaction.

    • +6

      Same here, would have taken my money elsewhere.

      Unless it is in their T&Cs and it is a requirement to have a professional IT check before applying for an account with them….I doubt it

    • +11

      Exactly. Can op tell us what bank it is so we'd avoid it as well

      • +3

        I really wish OP would leak the bank name, this is beyond idiocy.

  • +3

    Make your passwords longer than 12-16 if the password field allows.

    There are no programs that you can't get yourself. Format the PC.

    • +7

      Huge pet peeve that my main bank password max length is like 12

      Absolutely stupid, and being an experienced software engineer, I can confidently say there's no technical reason for it.

      • +16

        Westpac it is 6 characters and Text and numerals only (no special characters) and not case sensitive….. so consider yourself lucky :-)

        • +8

          Lol, ING just allows 4 numbers

          • @FirstWizard: i used to have a 6 digit PIN with Bendigo but last time they gave me a new card there was only the option to set a 4 digit pin.

            the password for internet banking is limited to 8 characters. its a joke.

            • +2

              @Antikythera: I'm not even talking about the card PIN.

              This is for the access code for internet banking

      • +12

        commbank passwords aren't case sensitive…

        • +10

          WTF!?
          I just tried it and you're right…. 🤯

          • +9

            @elcap: Shit so I’ve been unnecessarily wasting time capitalising IhateBiden6699 all this time

            • +2

              @Donaldhump: You can't just swap a couple of numbers around and expect your password to remain safe on a public forum.

      • +1

        I heard that some of the banks are using ancient hardware DES systems hence these obscure password "simplicity" requirements.

        • +1

          This might explain why several banks I’ve contacted are so resistant to change. ING (4 numbers), 86400 (no password) and Up (6 numbers)have all refused to add better passwords. Suncorp finally increased theirs from 8 character max which was nice though

      • Huge pet peeve that my main bank password max length is like 12

        This is enough reason to change banks. These guys have no clue what they are doing.

  • +48

    Name and shame the bank.

    • +2

      Which bank?

      • +15

        Witch Bank.

        • +2

          Me bank or U bank?

    • +3

      It will be really hard to make sure that there are no personal info without a nuke wipe. Software are storing bits and pieces almost everywhere on the drive, some intentionally and some unintentionally when crashed.

  • +15

    Name and shame please.

    Otherwise I'm just going to assume it's Westpac.

    • +3

      No not Westpac, it starts with an M!!

      • +1

        Selfish banks. Always thinking about me me me

        Yes or no?

      • +8
      • +4

        All the banks starting with M suck. Jump ship now.

        • +3

          Don't you mean all the ones starting with B 🙂

        • -1

          Not sure what sucks about Macquarie (other than this post, if it's even them). Their signup was only a few minutes, online, with zero fuss, the fastest and least annoying I've ever done. Also one of the few who give a Debit Mastercard (not Visa) with no yearly or account fees plus no international currency conversion fees.

          • +1

            @Faulty P xel: Wait till they send you a renewed Debit Card that is already activated via the mail.

            • @jpl: But all the financial institutions I use do that. Some used to send out the new PIN separately on a different day. But I don't think they even do that anymore… they just say to continue using the same PIN now.

              • +1

                @Faulty P xel: I mean activated as it can be use for tap even when it is still sealed in the envelope.

                • @jpl: Can you give an example how you activate your new cards then? Because I use, um let's see… 6 different cards with 4 different banks and I can't recall activating being required before using replacement cards. A new card with another x years arrives, I just go onto ebay or Amazon, pay using that card, and if it worked ok I cut up the old card. Doesn't that mean anyone who intercepts the mail can do the same?

                  I hate tap and pay. It should never have been introduced. Or at least give customers the choice if they want it on their card (they don't give you a choice, I asked). I had 4x different cards in my wallet. Went through a supermarket checkout, pulled out my wallet, took out card 1 to get easier access to pull out card 2, but before I could slide card 2 down the slot the scanner beeped and took payment from card 1 through tap and pay. I couldn't believe it.

                  • @Faulty P xel: NAB allows you to turn off 'features' like tap'n'pay on their VISA card. Can also independently turn off ATM withdrawal, online payments and international payments.

                  • +1

                    @Faulty P xel: Under normal circumstances a renewed new card is not activated. It is normally sent out by post (unless you asked for pickup at the branch) and can be intercepted by posties and crooks breaking into mail boxes.

                    Since it is not activated, anyone intercepted the card will not be able to use it. When the user receives the card, user login to netbank/online banking to activate the new card.

                    If a card is sent out pre-activated, meaning user does not need to login to netbank/online banking to activate it. Anyone intercepted the card can use it straight away, even when it is still sealed in the envelope. This is one of the reason why mail theft is increasing, because the banks are feeding the seagull.

                    • +2

                      @jpl: Macquarie Bank customer here. I did not receive my initial Debit Card so they sent me a replacement. It turns out that my initial card was stolen in the mail and was used to purchase multiple $200 gift cards from Coles and Woolies in Blacktown. And yes the cards did not require activation as it was already activated when it was sent.

                      This was absolutely baffling to me that any bank in this day and age would do this. All of my other cards from other banking institutes require activation once the card is received.

                      • @kevmev12: That is the first that I ever heard. All other banks I used never sent an activated card. Always have to log in internet banking to activate. I'm pretty sure I had to activate Macquarie credit card as well. I don't have bank account with Macquarie so I'm surprised with their activated debit card practice.

                        • @kctt: Yes, really surprised when I found out too.

                          They spent hundreds of millions in cyber security to move 5 steps forward, but chose convenience in this case and move 10 steps backward.

                      • +1

                        @kevmev12: They knew crooks targeting cards from the mailboxes, buy they chose convenience over risk, moreover it is not their risk.

                        Since the debit card money is yours not theirs, if your money is stolen via the debit card, it is your burden to proof it was stolen. Even if they are willing to help you recover, it will take weeks, and if you are unlucky that urgently need the money, you are fark!

                        I am lucky that I found out this is the case and lodged a case before the card arrive, so that money stolen during mail transit is their responsibility.

                        Did you manage to get back the money? If not, and if you are thinking of filling a case with authority, I can back you up. Send me a PM with your email.

                        • @jpl: Yes I got my money back and thankfully it was a relatively painless process and their customer service was helpful. My money was returned in just over a week.

                          But given I was a new customer, the whole debacle didn't give me a very good first impression of their security policies. It was a new joint account; my wife received her initial card but I didn't. When I called them to report the unauthorised transaction, I told them the very idea of sending pre-activated debit/credit cards in the mail these days was a recipe for disaster.

                          Macquarie seemed to be such a big name in Australian finance, it was astonishing they would do something like this!

      • +11

        Mestpac

      • I’m guessing Me - I’ve heard of this happening with them before

      • +3

        Mum & Dad

    • +58

      Nobody can hack the password of a Westpac account, they allow super secure passwords up to 6 characters in length…

      • ^

        • Pretty shocking when I opened my 3%p.a Acc.

      • Don't you need 2FA to log in?

        • +2

          Not that I can see, there is a non-mandatory SMS security option, but it might only be required if you move money, I'm not sure.
          I only have my home loan with them, I wouldn't keep cash in there tbh…
          Edit: I can login on my laptop with just the 6 chars password

          • +1

            @RiseAndRuin: 2FA SMS for creating payments to new external accounts.

        • Jesus, and I thought ANZ was bad for not allowing special characters in their passwords!

        • +5

          There is no 2FA log in option. I've asked.

      • +2

        Qudos Bank beats that.

        4 digit pin and no 2FA

        • +2

          They're saving money on security because they need it to buy sponsorship/naming rights at stadiums

      • +3

        At least it can be typed in now, instead of having to use that god awful on screen keyboard. Still no special characters either :(

      • 3 password tries, its not brute force

      • +3

        Once I found a loophole in Westpac's online banking where one can repeatably make a payment without having the balance deducted.

        Despite giving them the steps to reproduce the bug, it took me 3 months to convince them the existence of the bug, not until sending out emails to every freaking director on their list.

        • +6

          I mean, are you sure you could pay for stuff without having your account debited?

          Maybe it was just a coincidence the first 999 times, better keep testing.

          • +1

            @abb: Yes, Westpac took 3 months to acknowledge the bug.

            • +6

              @jpl: really you should have posted the hack on ozbargain ;)

      • All those big cyrpto projects have been making innovations on cryptography whereas banks now still only allow max 6 character length passwords. I'm speechless.

        These guys will get brutally slaughtered by all new tech companies in the coming years/decades.

      • While not being ideal, 6 is long enough as long as they lock the account after a couple of failed tries.

  • +1

    Sounds like they want to ensure your risk from further attacks is low, but come across as you having to accept full liability from future compromises.

  • +8

    Get it in writing and make sure it:
    1) says this is all you need to do otherwise they will change things
    2) Make sire they define what an "IT professional" is as there is no such qualification available from any government institution…. You are an IT professional as you are in IT and make a living off it.
    3) Change banks as they are a PITA and do not have a clear process from your dealings with them.

Login or Join to leave a comment